Overview:
The OpenShift Container Platform cluster running in the OpenShift Local (CRC) instance includes an internal container image registry. This internal container image registry is used as a publication target for locally developed container images.
Instructions to Quickly Add Insecure Registries:
Note:
- In this case, we are not saying that TLS won't be used; we are saying that we don't care to validate the root certificate by importing the CA first
- If not wanting to perform insecurely, perform an import of the CA via oc create configmap. (search this repository)
1. Login as kubeadmin:
$ oc login -u kubeadmin <api-url-above>
<confirm Login successful>
$ oc config use-context crc-admin
$ oc whoami
<view output - confirm = kubeadmin>
2. Login to the registry and review Pods and image registry configuration:
$ oc registry login --insecure=true
$ oc get pods -n openshift-image-registry
<view output - should be 4 pods, the operator one and 3 node ones>
$ oc get image.config.openshift.io/cluster -o yaml
<view output>
Notes:
- The spec section is where we define insecure registries, allowed/blocked registries, and add root CA certificates for trust
- The internalRegistryHostname displays the URL of the internal registry (e.g. image-registry.openshift-image-registry.svc:5000)
3. Create a new project (namespace) to to tag the image registry:
$ oc new-project <projectname>
<confirm created>
4. Adding images:
Note:
- There are multiple ways to proceed. For example: oc patch adding a spec with a registrySource, and oc image mirror to map a remote registry with a new local one
a. Use oc patch to add one or multiple insecure registries:
- single:
$ oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["registry.mindwatering.net:5000"]}}}'
- multiple:
$ oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["registry.mindwatering.com:5000","10.0.122.50:8443","quay.io","registry.access.redhat.com","registry.redhat.io"]}}}'
b. Use oc image mirror to mirror a registry image into the local image registry in the <projectname> namespace:
- Map Red Hat
$ oc image mirror registry.access.redhat.com/ubi8/ubi:latest=default-route-openshift-image-registry.apps-crc.testing/<projectname>/ubi8:latest --insecure=true --filter-by-os=linux/amd64
c. Use oc edit to edit the image.config.openshift.io/cluster registry entries:
$ oc edit image.config.openshift.io/cluster
apiVersion: config.openshift.io/v1
kind: Image
metadata:
name: cluster
spec:
registrySources:
insecureRegistries:
- registry.mindwatering.net:5000
- 10.0.122.50:8443
allowedRegistries:
- registry.mindwatering.net:5000
- 10.0.122.50:8443
- registry.redhat.io
- quay.io
- registry.access.redhat.com
5. Monitor the operator (MCO) rollout of image registries:
Notes:
- Performed in OpenShift by the Machine Config Operator (MCO)
- MCO updates the /etc/containers/registries.conf on each node
- MCO initiates reboot of each node, one at a time
$ oc get machineconfigpool
<view output, note whether the UPDATED column shows TRUE, when done, all nodes should show TRUE>
6. Create a test pod (deployment) using an image in a repository:
a. Create a pod called: test-pull-helloworld
$ oc run test-pull-helloworld --image=registry.mindwatering.net:5000/helloworld:latest --restart=Never
<wait a second>
b. Monitor:
$ oc get pod test-pull
<confirm pod READY = 1/1 and STATUS = Running>
Note:
- Repeat the command above until status shows Running
- If fails, run the oc describe on the pod
$ oc describe pod test-pull-helloworld
Alternate, if only wanting the EVENTS section:
$ oc describe pod test-pull-helloworld | grep -A 5 Events
c. Delete the test pod:
$ oc delete pod test-pull-helloworld
previous page
|